Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Devices
Policies
Custom

List device settings profiles

GET/accounts/{account_id}/devices/policies

Fetches a list of the device settings profiles for an account.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Path ParametersExpand Collapse
account_id: string
ReturnsExpand Collapse
errors: array of ResponseInfo { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional { pointer }
pointer: optional string
messages: array of ResponseInfo { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional { pointer }
pointer: optional string
result: array of SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 24 more }
allow_mode_switch: optional boolean

Whether to allow the user to switch WARP between modes.

allow_updates: optional boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: optional boolean

Whether to allow devices to leave the organization.

auto_connect: optional number

The amount of time in seconds to reconnect after having been disabled.

captive_portal: optional number

Turn on the captive portal after the specified amount of time.

default: optional boolean

Whether the policy is the default policy for an account.

description: optional string

A description of the policy.

maxLength500
disable_auto_fallback: optional boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: optional boolean

Whether the policy will be applied to matching devices.

exclude: optional array of SplitTunnelExclude

List of routes excluded in the WARP client’s tunnel.

One of the following:
TeamsDevicesExcludeSplitTunnelWithAddress { address, description }
address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
TeamsDevicesExcludeSplitTunnelWithHost { host, description }
host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
exclude_office_ips: optional boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: optional array of FallbackDomain { suffix, description, dns_server }
suffix: string

The domain suffix to match when resolving locally.

description: optional string

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: optional array of string

A list of IP addresses to handle domain resolution.

gateway_unique_id: optional string
include: optional array of SplitTunnelInclude

List of routes included in the WARP client’s tunnel.

One of the following:
TeamsDevicesIncludeSplitTunnelWithAddress { address, description }
address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
TeamsDevicesIncludeSplitTunnelWithHost { host, description }
host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
lan_allow_minutes: optional number

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: optional number

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: optional string

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

maxLength500
name: optional string

The name of the device settings profile.

maxLength100
policy_id: optional string
maxLength36
precedence: optional number

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: optional boolean

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: optional boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: optional { mode, port }
mode: optional string

The mode to run the WARP client under.

port: optional number

The port number when used with proxy mode.

support_url: optional string

The URL to launch when the Send Feedback button is clicked.

switch_locked: optional boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests: optional array of { id, name }
id: optional string

The id of the DEX test targeting this policy.

name: optional string

The name of the DEX test targeting this policy.

tunnel_protocol: optional string

Determines which tunnel protocol to use.

success: true

Whether the API call was successful.

result_info: optional { count, page, per_page, total_count }
count: optional number

Total number of results for the requested service.

page: optional number

Current page within paginated list of results.

per_page: optional number

Number of results per page of results.

total_count: optional number

Total results available without any search parameters.

List device settings profiles

curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policies \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": [
    {
      "allow_mode_switch": true,
      "allow_updates": true,
      "allowed_to_leave": true,
      "auto_connect": 0,
      "captive_portal": 180,
      "default": false,
      "description": "Policy for test teams.",
      "disable_auto_fallback": true,
      "enabled": true,
      "exclude": [
        {
          "address": "192.0.2.0/24",
          "description": "Exclude testing domains from the tunnel"
        }
      ],
      "exclude_office_ips": true,
      "fallback_domains": [
        {
          "suffix": "example.com",
          "description": "Domain bypass for local development",
          "dns_server": [
            "1.1.1.1"
          ]
        }
      ],
      "gateway_unique_id": "699d98642c564d2e855e9661899b7252",
      "include": [
        {
          "address": "192.0.2.0/24",
          "description": "Include testing domains in the tunnel"
        }
      ],
      "lan_allow_minutes": 30,
      "lan_allow_subnet_size": 24,
      "match": "identity.email == \"test@cloudflare.com\"",
      "name": "Allow Developers",
      "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
      "precedence": 100,
      "register_interface_ip_with_dns": true,
      "sccm_vpn_boundary_support": false,
      "service_mode_v2": {
        "mode": "proxy",
        "port": 3000
      },
      "support_url": "https://1.1.1.1/help",
      "switch_locked": true,
      "target_tests": [
        {
          "id": "id",
          "name": "name"
        }
      ],
      "tunnel_protocol": "wireguard"
    }
  ],
  "success": true,
  "result_info": {
    "count": 1,
    "page": 1,
    "per_page": 20,
    "total_count": 2000
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": [
    {
      "allow_mode_switch": true,
      "allow_updates": true,
      "allowed_to_leave": true,
      "auto_connect": 0,
      "captive_portal": 180,
      "default": false,
      "description": "Policy for test teams.",
      "disable_auto_fallback": true,
      "enabled": true,
      "exclude": [
        {
          "address": "192.0.2.0/24",
          "description": "Exclude testing domains from the tunnel"
        }
      ],
      "exclude_office_ips": true,
      "fallback_domains": [
        {
          "suffix": "example.com",
          "description": "Domain bypass for local development",
          "dns_server": [
            "1.1.1.1"
          ]
        }
      ],
      "gateway_unique_id": "699d98642c564d2e855e9661899b7252",
      "include": [
        {
          "address": "192.0.2.0/24",
          "description": "Include testing domains in the tunnel"
        }
      ],
      "lan_allow_minutes": 30,
      "lan_allow_subnet_size": 24,
      "match": "identity.email == \"test@cloudflare.com\"",
      "name": "Allow Developers",
      "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
      "precedence": 100,
      "register_interface_ip_with_dns": true,
      "sccm_vpn_boundary_support": false,
      "service_mode_v2": {
        "mode": "proxy",
        "port": 3000
      },
      "support_url": "https://1.1.1.1/help",
      "switch_locked": true,
      "target_tests": [
        {
          "id": "id",
          "name": "name"
        }
      ],
      "tunnel_protocol": "wireguard"
    }
  ],
  "success": true,
  "result_info": {
    "count": 1,
    "page": 1,
    "per_page": 20,
    "total_count": 2000
  }
}